.github/workflows/deploy.yml

---
name: 'Deploy'

on:
  push:
    branches:
      - main
  pull_request:
    paths:
      - "deploy/**"

jobs:
  terraform:
    name: 'Terraform'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup python
        uses: actions/setup-python@v5
        with:
          python-version: 3.x
      - name: Install environment
        run: |
          curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq
          chmod +x jq
          pip install yq git+https://github.com/tdviet/fedcloudclient.git
      - name: Configure providers access
        env:
          REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }}
          ANSIBLE_SECRETS: ${{ secrets.ANSIBLE_SECRETS }}
        run: |
          # using parametric scopes to only have access to cloud.egi.eu VO
          SCOPE="openid%20email%20profile%20voperson_id"
          SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu"
          SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=member#aai.egi.eu"
          OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \
                            -d "grant_type=refresh_token&client_id=token-portal&scope=$SCOPE&refresh_token=$REFRESH_TOKEN" \
                          | jq -r ".access_token")
          echo "::add-mask::$OIDC_TOKEN"
          cd deploy
          BACKEND_SITE="$(yq -r .clouds.backend.site clouds.yaml)"
          BACKEND_VO="$(yq -r .clouds.backend.vo clouds.yaml)"
          EGI_SITE="$(yq -r .clouds.deploy.site clouds.yaml)"
          DEPLOY_VO="$(yq -r .clouds.deploy.vo clouds.yaml)"
          echo "EGI_SITE=$EGI_SITE" >> "$GITHUB_ENV"
          BACKEND_OS_TOKEN="$(fedcloud openstack token issue --oidc-access-token "$OIDC_TOKEN" \
                                                             --site "$BACKEND_SITE" --vo "$BACKEND_VO" -j | jq -r '.[0].Result.id')"
          echo "::add-mask::$BACKEND_OS_TOKEN"
          sed -i -e "s/backend_secret/$BACKEND_OS_TOKEN/" clouds.yaml
          DEPLOY_OS_TOKEN="$(fedcloud openstack token issue --oidc-access-token "$OIDC_TOKEN" \
                                                             --site "$EGI_SITE" --vo "$DEPLOY_VO" -j | jq -r '.[0].Result.id')"
          echo "::add-mask::$DEPLOY_OS_TOKEN"
          sed -i -e "s/deploy_secret/$DEPLOY_OS_TOKEN/" clouds.yaml
          mkdir -p ~/.config/openstack
          touch ~/.config/openstack/secure.yaml
          FEDCLOUD_LOCKER_TOKEN="$(fedcloud secret locker create \
                                   --oidc-access-token "$OIDC_TOKEN" \
                                   --ttl 1h --num-uses 2)"
          echo "::add-mask::$FEDCLOUD_LOCKER_TOKEN"
          fedcloud secret put --locker-token "$FEDCLOUD_LOCKER_TOKEN" deploy "data=$ANSIBLE_SECRETS"
          echo "FEDCLOUD_LOCKER_TOKEN=$FEDCLOUD_LOCKER_TOKEN" >> "$GITHUB_ENV"
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.2.9
      - name: Terraform Format
        id: fmt
        run: |
          cd deploy
          terraform fmt -check
      - name: Terraform init
        id: init
        run: |
          cd deploy
          terraform init
      - name: Adjust cloud-init file
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
        run: |
          cd deploy
          sed -i -e "s/%TOKEN%/${{ secrets.GITHUB_TOKEN }}/" cloud-init.yaml
          sed -i -e "s/%REF%/${{ github.sha }}/" cloud-init.yaml
          sed -i -e "s/%SHORT_REF%/$(git rev-parse --short HEAD)/" cloud-init.yaml
          sed -i -e "s#%SLACK_WEBHOOK_URL%#$SLACK_WEBHOOK_URL#" cloud-init.yaml
          sed -i -e "s/%FEDCLOUD_LOCKER_TOKEN%/$FEDCLOUD_LOCKER_TOKEN/" cloud-init.yaml
          sed -i -e "s/%CLOUDS_YAML%/$(base64 -w 0 < clouds.yaml)/" cloud-init.yaml
      - name: terraform plan
        id: plan
        #if: github.event_name == 'pull_request'
        run: |
          cd deploy
          terraform plan -no-color -var-file="$EGI_SITE.tfvars"
        continue-on-error: true
      - name: Update Pull Request
        uses: actions/github-script@v7
        #if: github.event_name == 'pull_request'
        env:
          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
            <details><summary>Show Plan</summary>

            \`\`\`
            ${process.env.PLAN}
            \`\`\`

            </details>

            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })
      - name: Terraform Plan Status
        if: steps.plan.outcome == 'failure'
        run: exit 1
      - name: Terraform Apply
        id: terraform-apply
        #if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: |
          cd deploy
          terraform apply -auto-approve -var-file="$EGI_SITE.tfvars"
      - name: Get VM ID
        id: terraform-vm-id
        #if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: |
          cd deploy
          terraform output -raw instance-id
      - name: Re-configure providers access
        env:
          REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }}
        run: |
          # using parametric scopes to only have access to cloud.egi.eu VO
          SCOPE="openid%20email%20profile%20voperson_id"
          SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu"
          SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=member#aai.egi.eu"
          OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \
                            -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=$SCOPE" \
                          | jq -r ".access_token")
          echo "::add-mask::$OIDC_TOKEN"
          cd deploy
          BACKEND_SITE="$(yq -r .clouds.backend.site clouds.yaml)"
          BACKEND_VO="$(yq -r .clouds.backend.vo clouds.yaml)"
          BACKEND_OS_TOKEN="$(fedcloud openstack token issue --oidc-access-token "$OIDC_TOKEN" \
                                                             --site "$BACKEND_SITE" --vo "$BACKEND_VO" -j | jq -r '.[0].Result.id')"
          echo "::add-mask::$BACKEND_OS_TOKEN"
          sed -i -e "s/backend_secret/$BACKEND_OS_TOKEN/" clouds.yaml
          mkdir -p ~/.config/openstack
          touch ~/.config/openstack/secure.yaml
      - name: Get the status file from swift
        #if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        uses: nick-fields/retry@v3
        with:
          timeout_minutes: 10
          max_attempts: 20
          retry_wait_seconds: 40
          command: >
            set -x &&
            pushd deploy &&
            openstack --os-cloud backend object save fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" &&
            openstack --os-cloud backend object delete fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}"
      - name: Look for errors
        #if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: |
          cd deploy
          # show the status in the build log
          cat "${{ steps.terraform-vm-id.outputs.stdout }}"
          grep -v "error" "${{ steps.terraform-vm-id.outputs.stdout }}"